In October 2023, the Securities and Exchange Commission (SEC) made waves in the security industry by filing a landmark lawsuit against SolarWinds Corp. and its chief information security officer (CISO). The case marked a significant moment as it was the first time the SEC had targeted a CISO individually in an enforcement action. This move has sparked concerns among security leaders about how to safeguard themselves and their organizations from similar legal challenges.
The background of the case stems from the well-known SolarWinds breach in 2020, where a threat actor infiltrated the company’s network and inserted malware into its Orion software. Unfortunately, SolarWinds unknowingly distributed the compromised Orion update to its customers.
In a notable development late last year, the SEC took legal action against SolarWinds and its CISO, Timothy Brown, accusing them of making false and misleading statements regarding the company’s cybersecurity posture, risks, and practices in various documents filed with the SEC, as well as in public statements such as press releases and blog posts.
Given the implications of this case for CISOs in public companies, it is crucial for individuals in such roles to consider proactive steps to mitigate potential risks. While the legal proceedings surrounding the SEC’s lawsuit may unfold over an extended period, there are five key actions that all public company CISOs should contemplate taking now:
1. Establishing clear communication channels with the CFO and financial reporting team to ensure alignment between SEC reporting and information security functions, particularly in light of new reporting regulations for cybersecurity incidents.
2. Ensuring that statements meant for customers and vendors undergo rigorous review similar to those destined for shareholders, as all external communications can influence investors’ decision-making and carry legal consequences.
3. Verifying that information security policies and controls are up to date to prevent allegations of inadequate internal accounting controls that could impact financial reporting integrity, while also exploring available insurance and corporate protections.
4. Collaborating with internal audit and assurance providers to enhance the resilience of systems through regular testing and having multiple layers of oversight on external communications to reduce errors.
5. Seeking guidance from cybersecurity counsel on complex or evolving cybersecurity issues, especially when faced with novel situations that may have implications for SEC compliance.
The SEC’s emphasis on protecting investors amidst the complexities of cybersecurity breaches underscores the need for transparency and accountability in the industry. Recent directives from the SEC require public companies to enhance disclosure around cybersecurity governance and promptly report significant incidents to stakeholders. These developments are reshaping the landscape of cybersecurity disclosures and highlighting the growing importance of transparency in the digital era.
As the legal saga with SolarWinds and the SEC unfolds, it will be intriguing to observe how these cases influence future cybersecurity practices and disclosures across various sectors. The precedence set by these legal actions serves as a stark reminder of the evolving regulatory environment surrounding cybersecurity and underscores the imperative for organizations to prioritize transparency and compliance in an era defined by digital risks.